Councilofthe EuropeanUnion Brussels,21January2015 (OR.en) 16974/14DATAPROTECT187JAI1020MI1009 DRS173DAPIX188FREMP229 COMIX677CODEC2526.

Transcription

1 ConseilUE Councilofthe EuropeanUnion Brussels,21January2015 (OR.en) InterinstitutionalFile: 2012/0011(COD) PUBLIC 5331/15 LIMITE DATAPROTECT5 JAI25 MI23 DRS6 DAPIX10 FREMP5 COMIX26 CODEC55 NOTE From: To: Subject: Presidency WorkingGrouponInformationExchangeandDataProtection(DAPIX) ProposalforaRegulationoftheEuropeanParliamentandoftheCouncil ontheprotectionofindividualswithregardtotheprocessingofpersonal dataandonthefreemovementofsuchdata(generaldataprotection Regulation) -DiscussionnoteonpossiblethresholdsforsubmitingcasestotheEDPB Background 1. AttheCouncilmeetingof4December2014,theministersengagedinanorientationdebate ontheone-stop-shopmechanism,duringwhichamajorityof MemberStateslenttheirsupportto thegeneralarchitectureoftheone-stop-shopasoutlinedinthepresidencynote 1.Aminorityof MemberStatesvoicedseriousconcernsonthePresidencynoteandthoughtthatthearchitecture outlinedthereindidnotguaranteethatthegoalsfortheone-stop-shopwhichthecouncilhadat previousoccasionssetwouldbeatained /14DATAPROTECT187JAI1020MI1009 DRS173DAPIX188FREMP229 COMIX677CODEC /15 GS/np 1 DGD2C LIMITE EN

2 The President concluded that there was a majority in the Council which could endorse the general architecture of the one-stop-shop mechanism outlined in the Presidency note, including the idea of a co-decision mechanism between the data protection authorities concerned and the legally binding nature of the decisions of the European Data Protection Board. 2. In the meantime, the German and French delegations have tabled a proposal 2, which is aimed at further developing the one-stop-shop mechanism. The proposal, which contains a revised version of a significant number of relevant articles, would circumscribe the cases in which the one-stopmechanism could be triggered and hence also the cases which could be referred to the EDPB. This proposal will be discussed at the DAPIX meeting of January The Presidency deems it expedient to discuss, at the same meeting, other questions related to the functioning of the one-stopshop mechanism, in particular other possible 'thresholds' for referring cases to the EDPB. 3. One of the main remaining concerns surrounding the functioning of a future one-stop-shop mechanism relates to the possible overburdening of the European Data Protection Board. The Presidency is therefore inviting delegations to express themselves on the idea of introducing additional 'thresholds' for submitting cases to the EDPB, in particular, but not exclusively the possible quantitative and qualitative thresholds set out hereafter. Quantitative filter for 'objecting' DPAs 4. The text of the outgoing Presidency provided that any of the supervisory authorities concerned could express a reasoned objection to the draft decision of the lead DPA. If the lead supervisory authority does not follow the objection, the matter would be submitted to the EDPB. The German-French proposal suggests adding an extra filter by requiring that the objection must be "serious", without however specifying which authority will assess the seriousness of the objection. This substantive filter is coupled with a procedural one, by entrusting the Board with the power to reject - by simple majority - objections that are not considered serious /15 DATAPROTECT 4 JAI 23 MI 22 DRS 5 DAPIX 9 FREMP 4 COMIX 25 CODEC /15 GS/np 2

3 5. Both the text of the outgoing Presidency and the German-French note thus provide each DPA concerned with the power to 'block' the decision-making process within the cooperation mechanism. This has two important consequences. First, any DPA concerned has the power to trigger the consistency mechanism and have a matter submitted to the Board. Second, the absence of any threshold in terms of relative number of DPAs concerned implies that the lead DPA can be prevented from adopting the decision it intends to adopt by the (serious) objection of just one DPA. Delegations are invited to indicate whether: the (serious) objection of only one DPA should suffice to trigger the referral of a case to the EDPB; or there should be a quantitative threshold requiring a relative number of DPAs concerned to lodge a (serious) objection: 1/3, 1/2 or 2/3 of all DPAs concerned. 6. Whilst a quantitative threshold has the advantage of constituting an extra filter for submitting cases to the EDPB, it also carries with it the disadvantage that a 'local' DPA may be forced to adopt and enforce a decision of another DPA to which it objects and which is not based on a decision taken by a Union body. If, in a case where a DPA has received a complaint, a majority of Member States want to reject in whole or in part the complaint, that DPA could thus be obliged to adopt and enforce such decision, even if it disagrees with it. One way to 'prevent' such outcome, is to provide each DPA concerned, including the DPA where the complaint has been lodged, with the possibility to 'block' a decision within the cooperation mechanism. This would also rule out the constitutional problems that might ensue in some Member States if a DPA would be overruled by other DPAs in the context of the cooperation mechanism. 7. At least as far as the lead authority is concerned, it is difficult to envisage that it would not have such power within the cooperation mechanism. Under the current draft, within the cooperation mechanism, it is the lead authority which drafts a decision. The co-decision principle, which was endorsed by the Council, carries with it the 'inherent' risk that the lead authority may be 'outvoted' by other data protection authorities concerned. But whilst other DPAs concerned have the power to raise (serious) objections against it and thus 'force' a submission to the Board, they cannot, at that stage, impose a decision on the lead authority. The lead authority may equally object to any supervisory authority dealing with a complaint as a purely local case and thus submit the matter to the European Data Protection Board. 5331/15 GS/np 3

4 Qualitative filter for 'objections' being submitted to the co-operation mechanism/consistency mechanism 8. Distinct from a possible quantitative threshold for submitting matters to the Board, one could also envisage to limit the subject-matter the Board could be asked to decide upon. One of the most important questions surrounding the one-stop shop mechanism concerns the scope of the single decision that will be agreed upon, either between the DPAs concerned (cooperation mechanism), or by the EDPB (consistency mechanism). In case of an investigation into a possible data protection violation, whether it is initiated by the DPA on its own behalf or further to a complaint, a distinction may be made between the following four tasks of the DPA: (1) establishing the facts; (2) establishing whether these facts amount to a violation of the Regulation or other data protection rules; (3) determining the corrective measures to be applied, including possible sanctions; and (4) ensuring that the corrective measures are enforced. 9. Task (1) is a factual task which should be carried out by the lead DPA, possibly with the assistance of other DPAs. Even if it is not excluded that the DPAs concerned amongst them have discussions about facts, it is difficult to envisage that a DPA should be allowed to trigger the consistency mechanism by objecting to the lead DPA's assessment of the facts. Task (4) falls outside the scope of the consistency (and the cooperation) mechanism as well. After the DPAs concerned and the lead DPA agree on a decision in the context of the cooperation procedure, the lead DPA and/or the DPA to which the complaint has been lodged adopt the decision and notify it to the main establishment, which will then ensure its implementation (pursuant to company law). Indeed, the German-French note suggests that the power of the main establishment to have such decisions enforced is a conditio sine qua non for an establishment to be recognised as main establishment. 5331/15 GS/np 4

5 10. By contrast task (2) should be part of the scope of the consistency mechanism. The key question is whether the cooperation and consistency mechanism should be extended to the third task of the DPA role, namely the determination of the corrective measures. The fact that the imposition of sanctions is part and parcel of the enforcement of the General Data Protection Regulation pleads in favour of the inclusion of this aspect in the consistency mechanism. Corrective measures are inherently linked to the existence of an infringement; if the Board has found there has been an infringement and the lead DPA would impose an insignificant sanction, the consistency mechanism would become devoid of purpose. There are, however, also some arguments which militate against the inclusion of this aspect in the scope of the consistency mechanism. First, the inclusion of this task will undoubtedly lead to an increase in the workload of the Board: (i) in cases where the Board is asked to pronounce itself on a possible violation of the Regulation, it may also be asked to look into the corrective measures; and (ii) there will be cases which will be referred to the Board only because of a dispute on the corrective measures to be imposed. Second, in the decision-making process of national DPAs regarding corrective measures to be imposed following a data protection violation, DPAs may take account of many different factors (see paragraph 2a of Article 79), some of which may be proper to the Member State concerned. Moreover, the single decision to be agreed upon in the context of the one-stop-shop mechanism cannot take account of relevant Member State legislation, such as, for example, (constitutional) rules on the freedom of expression This legislation may also play an important role in the determination of which corrective measures to apply. However, the interplay with national law is a separate issue which is equally relevant for the second aspect of the DPA decision-making process. The role of the Board will therefore have to be defined in such a way that it leaves sufficient leeway for the EDPB decision to be implemented at national level by taking account of national law, where applicable. In other words, the EDPB decision should be limited to the interpretation and application of the Regulation and should not pre-empt any application of national law in cases where national law is applicable. 11. Delegations are invited to indicate whether they think the EDPB should be tasked: only with taking decisions as to whether the facts amount to a violation of the Regulation or other data protection rules; or also with determining the corrective measures to be applied, including possible sanctions. 5331/15 GS/np 5